You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@sling.apache.org by Sandro Boehme <sa...@gmx.de> on 2012/09/16 20:41:26 UTC
Something like a jcr:execute privilege?
Hello,
I understand that I can deny jcr:all for /apps and also for a script
path that is mounted from a bundle via
<Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
. After that the user will not see the scripts anymore. But if they are
called to render a resource they are still executed. Is there a way to
have something like jcr:execute to specify which user are allowed to
execute the scripts?
Best,
Sandro
Re: Something like a jcr:execute privilege?
Posted by Sandro Boehme <sa...@gmx.de>.
Hi Felix,
Am 17.09.12 15:22, schrieb Felix Meschberger:
> Hi Sandro,
>
> Am 17.09.2012 um 15:20 schrieb Sandro Boehme:
>
>> Hi Felix,
>>
>> my comment is inline.
>>
>> Am 17.09.12 11:54, schrieb Felix Meschberger:
>>> Hi,
>>>
>>> Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
>>>
>>>> Hello,
>>>>
>>>> I understand that I can deny jcr:all for /apps and also for a
>>>> script path that is mounted from a bundle via
>>>> <Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
>>>>
>>>>
>> . After that the user will not see the scripts anymore. But if they are
>>>> called to render a resource they are still executed. Is there a way
>>>> to have something like jcr:execute to specify which user are
>>>> allowed to execute the scripts?
>>>
>>> Yes, something like an execution privilege would have been a solution
>>> (actually my preferred one).
>>>
>>> But we decided to do it differently: The ServletResolver which does
>>> the resolution uses a special user (admin by default) to access the
>> But the scripts are not executed as admin right? I mean: If anonymous
>> calls a script (jsp, eps,...) that deletes a node. And anonymous has not
>> the jcr:removeNode privilege on that node, he would get an error as this
>> script is executed as anonymous not as admin. Right?
>
> No, no. The special user is only used to find and read the script. It is then executed with the request's session.
Good to know. But I agree. There might be cases where the logic of a
script might create a new asset thats worth protecting.
Best,
Sandro
>
> Regards
> Felix
>
>>
>> Best,
>>
>> Sandro
>>
>>> scripts. In addition only scripts at certain locations are ever
>>> considered. IIRC this is /libs and /apps by default such that no
>>> scripts below /var or /tmp may actually be executed.
>>>
>>> Both these features allow for this "security".
>>>
>>> Regards Felix
>>>
>>
>
>
Re: Something like a jcr:execute privilege?
Posted by Felix Meschberger <fm...@adobe.com>.
Hi Sandro,
Am 17.09.2012 um 15:20 schrieb Sandro Boehme:
> Hi Felix,
>
> my comment is inline.
>
> Am 17.09.12 11:54, schrieb Felix Meschberger:
>> Hi,
>>
>> Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
>>
>>> Hello,
>>>
>>> I understand that I can deny jcr:all for /apps and also for a
>>> script path that is mounted from a bundle via
>>> <Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
>>>
>>>
> . After that the user will not see the scripts anymore. But if they are
>>> called to render a resource they are still executed. Is there a way
>>> to have something like jcr:execute to specify which user are
>>> allowed to execute the scripts?
>>
>> Yes, something like an execution privilege would have been a solution
>> (actually my preferred one).
>>
>> But we decided to do it differently: The ServletResolver which does
>> the resolution uses a special user (admin by default) to access the
> But the scripts are not executed as admin right? I mean: If anonymous
> calls a script (jsp, eps,...) that deletes a node. And anonymous has not
> the jcr:removeNode privilege on that node, he would get an error as this
> script is executed as anonymous not as admin. Right?
No, no. The special user is only used to find and read the script. It is then executed with the request's session.
Regards
Felix
>
> Best,
>
> Sandro
>
>> scripts. In addition only scripts at certain locations are ever
>> considered. IIRC this is /libs and /apps by default such that no
>> scripts below /var or /tmp may actually be executed.
>>
>> Both these features allow for this "security".
>>
>> Regards Felix
>>
>
Re: Something like a jcr:execute privilege?
Posted by Sandro Boehme <sa...@gmx.de>.
Hi Felix,
my comment is inline.
Am 17.09.12 11:54, schrieb Felix Meschberger:
> Hi,
>
> Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
>
>> Hello,
>>
>> I understand that I can deny jcr:all for /apps and also for a
>> script path that is mounted from a bundle via
>> <Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
>>
>>
. After that the user will not see the scripts anymore. But if they are
>> called to render a resource they are still executed. Is there a way
>> to have something like jcr:execute to specify which user are
>> allowed to execute the scripts?
>
> Yes, something like an execution privilege would have been a solution
> (actually my preferred one).
>
> But we decided to do it differently: The ServletResolver which does
> the resolution uses a special user (admin by default) to access the
But the scripts are not executed as admin right? I mean: If anonymous
calls a script (jsp, eps,...) that deletes a node. And anonymous has not
the jcr:removeNode privilege on that node, he would get an error as this
script is executed as anonymous not as admin. Right?
Best,
Sandro
> scripts. In addition only scripts at certain locations are ever
> considered. IIRC this is /libs and /apps by default such that no
> scripts below /var or /tmp may actually be executed.
>
> Both these features allow for this "security".
>
> Regards Felix
>
Re: Something like a jcr:execute privilege?
Posted by Felix Meschberger <fm...@adobe.com>.
Hi,
Am 16.09.2012 um 20:41 schrieb Sandro Boehme:
> Hello,
>
> I understand that I can deny jcr:all for /apps and also for a script
> path that is mounted from a bundle via
> <Sling-Initial-Content>folder/in/bundle;overwrite:=true;path:=/folder/in/resource/tree</Sling-Initial-Content>
> . After that the user will not see the scripts anymore. But if they are
> called to render a resource they are still executed. Is there a way to
> have something like jcr:execute to specify which user are allowed to
> execute the scripts?
Yes, something like an execution privilege would have been a solution (actually my preferred one).
But we decided to do it differently: The ServletResolver which does the resolution uses a special user (admin by default) to access the scripts. In addition only scripts at certain locations are ever considered. IIRC this is /libs and /apps by default such that no scripts below /var or /tmp may actually be executed.
Both these features allow for this "security".
Regards
Felix
Re: Something like a jcr:execute privilege?
Posted by Sandro Boehme <sa...@gmx.de>.
Thanks for your answer Eric!
After thinking about it in a quite minute I recognized that the user can
still use curl to display, modify,... content the same way as the
script. And at the end these actions are denied or allowed by the
privileges on the content.
But your hint about the PrivilegesInfo comes handy when some HTML
element needs to be disabled upfront to show the user that he will not
be allowed to take the action.
Best,
Sandro
Am 17.09.12 03:20, schrieb Eric Norman:
> I usually just do my own access check inside each script that is updating
> something using the PrivilegesInfo class (see [1]).
>
> For example, something like this:
>
> <%
> var privilegesInfo = new
> Packages.org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo();
> if (!privilegesInfo.canModifyProperties(currentNode)) {
> //not allowed, so respond that this page doesn't exist for the
> current user
> response.sendError(404);
> } else {
> %>
> TODO: render your page here.
> <%
> } /* end else */
> %>
>
> 1.
> http://sling.apache.org/apidocs/sling6/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.html
>
> On Sun, Sep 16, 2012 at 11:41 AM, Sandro Boehme <sa...@gmx.de>wrote:
>
>> Hello,
>>
>> I understand that I can deny jcr:all for /apps and also for a script path
>> that is mounted from a bundle via
>> <Sling-Initial-Content>folder/**in/bundle;overwrite:=true;**
>> path:=/folder/in/resource/**tree</Sling-Initial-Content>
>> . After that the user will not see the scripts anymore. But if they are
>> called to render a resource they are still executed. Is there a way to have
>> something like jcr:execute to specify which user are allowed to execute the
>> scripts?
>>
>> Best,
>>
>> Sandro
>>
>
Re: Something like a jcr:execute privilege?
Posted by Eric Norman <er...@gmail.com>.
I usually just do my own access check inside each script that is updating
something using the PrivilegesInfo class (see [1]).
For example, something like this:
<%
var privilegesInfo = new
Packages.org.apache.sling.jcr.jackrabbit.accessmanager.PrivilegesInfo();
if (!privilegesInfo.canModifyProperties(currentNode)) {
//not allowed, so respond that this page doesn't exist for the
current user
response.sendError(404);
} else {
%>
TODO: render your page here.
<%
} /* end else */
%>
1.
http://sling.apache.org/apidocs/sling6/org/apache/sling/jcr/jackrabbit/accessmanager/PrivilegesInfo.html
On Sun, Sep 16, 2012 at 11:41 AM, Sandro Boehme <sa...@gmx.de>wrote:
> Hello,
>
> I understand that I can deny jcr:all for /apps and also for a script path
> that is mounted from a bundle via
> <Sling-Initial-Content>folder/**in/bundle;overwrite:=true;**
> path:=/folder/in/resource/**tree</Sling-Initial-Content>
> . After that the user will not see the scripts anymore. But if they are
> called to render a resource they are still executed. Is there a way to have
> something like jcr:execute to specify which user are allowed to execute the
> scripts?
>
> Best,
>
> Sandro
>